Currently all interpreters are installed with the C flag, meaning that any setuid binary in a handled architecture (for example in a docker image) will run qemu as root. qemu has had numerous security issues over the years when run this way (see https://lists.gnu.org/archive/html/qemu-devel/2025-08/msg03401.html for some discussion). In many cases being able to run setuid architecture binaries is not necessary, so it would be nice to reduce the attack surface in these cases.
Currently all interpreters are installed with the
Cflag, meaning that any setuid binary in a handled architecture (for example in a docker image) will run qemu as root. qemu has had numerous security issues over the years when run this way (see https://lists.gnu.org/archive/html/qemu-devel/2025-08/msg03401.html for some discussion). In many cases being able to run setuid architecture binaries is not necessary, so it would be nice to reduce the attack surface in these cases.